Wednesday, 2018-10-10

*** itlinux has joined #openstack-keystone		00:03
*** lbragstad has joined #openstack-keystone		00:16
*** ChanServ sets mode: +o lbragstad		00:16
*** gyee has quit IRC		00:20
*** Dinesh_Bhor has joined #openstack-keystone		00:38
*** Dinesh_Bhor has quit IRC		00:49
*** Dinesh_Bhor has joined #openstack-keystone		00:52
*** jdennis has quit IRC		01:37
*** openstackgerrit has quit IRC		01:37
*** Dinesh_Bhor has quit IRC		01:37
*** d0ugal has quit IRC		01:37
*** tristanC has quit IRC		01:37
*** mugsie has quit IRC		01:37
*** jroll has quit IRC		01:37
*** odyssey4me has quit IRC		01:37
*** dmellado has quit IRC		01:37
*** mvkr has quit IRC		01:37
*** markvoelker has quit IRC		01:37
*** jmlowe has quit IRC		01:37
*** devx has quit IRC		01:37
*** aning has quit IRC		01:37
*** jhesketh has quit IRC		01:37
*** csatari has quit IRC		01:37
*** josecastroleon has quit IRC		01:37
*** dave-mccowan has quit IRC		01:37
*** vishakha has quit IRC		01:37
*** gagehugo has quit IRC		01:37
*** spsurya has quit IRC		01:37
*** etp has quit IRC		01:37
*** jmccrory has quit IRC		01:37
*** errr has quit IRC		01:37
*** trident has quit IRC		01:37
*** glb has quit IRC		01:37
*** masayukig[m] has quit IRC		01:37
*** pas-ha has quit IRC		01:37
*** mgagne has quit IRC		01:37
*** knikolla has quit IRC		01:37
*** dklyle has quit IRC		01:37
*** kukacz has quit IRC		01:37
*** BlackDex has quit IRC		01:37
*** szaher has quit IRC		01:37
*** gmann has quit IRC		01:37
*** belmoreira has quit IRC		01:37
*** wxy-xiyuan has quit IRC		01:37
*** zzzeek_ has quit IRC		01:37
*** eglute has quit IRC		01:37
*** jamielennox has quit IRC		01:37
*** cloudnull has quit IRC		01:37
*** nicolasbock has quit IRC		01:37
*** sayalilunkad has quit IRC		01:37
*** pooja_jadhav has quit IRC		01:37
*** jistr has quit IRC		01:37
*** hogepodge has quit IRC		01:37
*** kmalloc has quit IRC		01:37
*** lamt has quit IRC		01:37
*** cmurphy has quit IRC		01:37
*** lbragstad has quit IRC		01:37
*** imacdonn has quit IRC		01:37
*** adriant has quit IRC		01:37
*** d34dh0r53 has quit IRC		01:37
*** yankcrime has quit IRC		01:37
*** _KaszpiR_ has quit IRC		01:37
*** tonyb has quit IRC		01:37
*** bnemec has quit IRC		01:37
*** andreykurilin has quit IRC		01:37
*** rm_work has quit IRC		01:37
*** fungi has quit IRC		01:37
*** samueldmq has quit IRC		01:37
*** melwitt has quit IRC		01:37
*** andymccr has quit IRC		01:37
*** tobberydberg has quit IRC		01:37
*** Neptu has quit IRC		01:37
*** NikitaKonovalov has quit IRC		01:37
*** chason has quit IRC		01:37
*** hrybacki has quit IRC		01:37
*** mnaser has quit IRC		01:37
*** TheJulia has quit IRC		01:37
*** rledisez has quit IRC		01:37
*** ildikov has quit IRC		01:37
*** mordred has quit IRC		01:37
*** itlinux has quit IRC		01:37
*** jaosorior has quit IRC		01:37
*** xek has quit IRC		01:37
*** dims has quit IRC		01:37
*** kencjohnston has quit IRC		01:37
*** DinaBelova has quit IRC		01:37
*** larsks has quit IRC		01:37
*** jrist has quit IRC		01:37
*** jamiec_ has quit IRC		01:37
*** rodrigods has quit IRC		01:37
*** obre has quit IRC		01:37
*** johnthetubaguy has quit IRC		01:37
*** timburke has quit IRC		01:37
*** spotz has quit IRC		01:37
*** raginbajin has quit IRC		01:37
*** dansmith has quit IRC		01:37
*** zigo has quit IRC		01:37
*** tobias-urdin has quit IRC		01:37
*** niceplace has quit IRC		01:37
*** breton has quit IRC		01:37
*** rcernin has quit IRC		01:37
*** ianw has quit IRC		01:37
*** cwright has quit IRC		01:37
*** jlvillal has quit IRC		01:37
*** edmondsw has quit IRC		01:37
*** mbuil has quit IRC		01:37
*** aloga has quit IRC		01:37
*** Krenair has quit IRC		01:37
*** mattoliverau has quit IRC		01:37
*** andreaf has quit IRC		01:37
*** zioproto has quit IRC		01:37
*** robcresswell has quit IRC		01:37
*** hemna has quit IRC		01:37
*** chrome0 has quit IRC		01:37
*** charz has quit IRC		01:37
*** ChanServ has quit IRC		01:37
*** mattoliverau has joined #openstack-keystone		01:43
*** andreaf has joined #openstack-keystone		01:43
*** Krenair has joined #openstack-keystone		01:43
*** aloga has joined #openstack-keystone		01:43
*** mbuil has joined #openstack-keystone		01:43
*** edmondsw has joined #openstack-keystone		01:43
*** jlvillal has joined #openstack-keystone		01:43
*** cwright has joined #openstack-keystone		01:43
*** ianw has joined #openstack-keystone		01:43
*** rcernin has joined #openstack-keystone		01:43
*** odyssey4me has joined #openstack-keystone		01:43
*** jroll has joined #openstack-keystone		01:43
*** d0ugal has joined #openstack-keystone		01:43
*** mugsie has joined #openstack-keystone		01:43
*** Dinesh_Bhor has joined #openstack-keystone		01:43
*** breton has joined #openstack-keystone		01:43
*** niceplace has joined #openstack-keystone		01:43
*** tobias-urdin has joined #openstack-keystone		01:43
*** zigo has joined #openstack-keystone		01:43
*** dansmith has joined #openstack-keystone		01:43
*** raginbajin has joined #openstack-keystone		01:43
*** spotz has joined #openstack-keystone		01:43
*** timburke has joined #openstack-keystone		01:43
*** johnthetubaguy has joined #openstack-keystone		01:43
*** obre has joined #openstack-keystone		01:43
*** rodrigods has joined #openstack-keystone		01:43
*** jamiec_ has joined #openstack-keystone		01:43
*** jrist has joined #openstack-keystone		01:43
*** dklyle has joined #openstack-keystone		01:44
*** kukacz has joined #openstack-keystone		01:44
*** BlackDex has joined #openstack-keystone		01:44
*** szaher has joined #openstack-keystone		01:44
*** gmann has joined #openstack-keystone		01:44
*** bnemec has joined #openstack-keystone		01:44
*** andreykurilin has joined #openstack-keystone		01:44
*** rm_work has joined #openstack-keystone		01:44
*** fungi has joined #openstack-keystone		01:44
*** samueldmq has joined #openstack-keystone		01:44
*** melwitt has joined #openstack-keystone		01:44
*** belmoreira has joined #openstack-keystone		01:44
*** wxy-xiyuan has joined #openstack-keystone		01:44
*** nicolasbock has joined #openstack-keystone		01:44
*** zzzeek_ has joined #openstack-keystone		01:44
*** eglute has joined #openstack-keystone		01:44
*** jamielennox has joined #openstack-keystone		01:44
*** cloudnull has joined #openstack-keystone		01:44
*** sayalilunkad has joined #openstack-keystone		01:44
*** jdennis has joined #openstack-keystone		01:44
*** openstackgerrit has joined #openstack-keystone		01:44
*** zioproto has joined #openstack-keystone		01:45
*** charz has joined #openstack-keystone		01:45
*** robcresswell has joined #openstack-keystone		01:45
*** chrome0 has joined #openstack-keystone		01:45
*** hemna has joined #openstack-keystone		01:45
*** pooja_jadhav has joined #openstack-keystone		01:45
*** jistr has joined #openstack-keystone		01:45
*** hogepodge has joined #openstack-keystone		01:45
*** lamt has joined #openstack-keystone		01:45
*** kmalloc has joined #openstack-keystone		01:45
*** cmurphy has joined #openstack-keystone		01:45
*** csatari has joined #openstack-keystone		01:45
*** dmellado has joined #openstack-keystone		01:46
*** mvkr has joined #openstack-keystone		01:46
*** markvoelker has joined #openstack-keystone		01:46
*** jmlowe has joined #openstack-keystone		01:46
*** devx has joined #openstack-keystone		01:46
*** aning has joined #openstack-keystone		01:46
*** jhesketh has joined #openstack-keystone		01:46
*** hrybacki has joined #openstack-keystone		01:46
*** chason has joined #openstack-keystone		01:46
*** NikitaKonovalov has joined #openstack-keystone		01:46
*** mnaser has joined #openstack-keystone		01:46
*** TheJulia has joined #openstack-keystone		01:46
*** rledisez has joined #openstack-keystone		01:46
*** ildikov has joined #openstack-keystone		01:46
*** mordred has joined #openstack-keystone		01:46
*** andymccr has joined #openstack-keystone		01:46
*** tobberydberg has joined #openstack-keystone		01:46
*** Neptu has joined #openstack-keystone		01:46
*** imacdonn has joined #openstack-keystone		01:46
*** adriant has joined #openstack-keystone		01:46
*** d34dh0r53 has joined #openstack-keystone		01:46
*** yankcrime has joined #openstack-keystone		01:46
*** tonyb has joined #openstack-keystone		01:46
*** _KaszpiR_ has joined #openstack-keystone		01:46
*** jaosorior has joined #openstack-keystone		01:46
*** kencjohnston has joined #openstack-keystone		01:46
*** DinaBelova has joined #openstack-keystone		01:46
*** larsks has joined #openstack-keystone		01:46
*** ChanServ has joined #openstack-keystone		01:47
*** card.freenode.net sets mode: +o ChanServ		01:47
*** lbragstad has joined #openstack-keystone		01:48
*** tristanC has joined #openstack-keystone		01:48
*** ChanServ sets mode: +o lbragstad		01:49
*** mgagne has joined #openstack-keystone		01:49
*** Guest10461 has joined #openstack-keystone		01:49
*** trident has joined #openstack-keystone		01:49
*** dave-mccowan has joined #openstack-keystone		01:51
*** itlinux has joined #openstack-keystone		01:54
*** sapd1 has joined #openstack-keystone		02:11
*** lbragstad has quit IRC		02:14
*** vishakha has joined #openstack-keystone		02:25
*** dave-mccowan has quit IRC		03:08
*** gagehugo_ has joined #openstack-keystone		03:49
*** Dinesh_Bhor has quit IRC		03:58
*** aojea has joined #openstack-keystone		04:02
*** aojea has quit IRC		04:07
*** spsurya has joined #openstack-keystone		04:43
*** Dinesh_Bhor has joined #openstack-keystone		04:54
*** shyam89 has joined #openstack-keystone		05:11
*** jrist has quit IRC		05:11
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement scope_type checking for role_assignments https://review.openstack.org/609210	05:26
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for role_assignments https://review.openstack.org/609210	05:32
*** shyam89 has quit IRC		05:42
*** felipemonteiro has joined #openstack-keystone		05:54
*** masayukig[m]1 has joined #openstack-keystone		05:56
*** shyam89 has joined #openstack-keystone		05:58
*** Dinesh_Bhor has quit IRC		06:12
*** shyam89 has quit IRC		06:12
*** aojea has joined #openstack-keystone		06:15
kmalloc	sigh something merged that caused all of the flask stuff to be in merge conflict	06:16
kmalloc	i kindof want to do a revert because i don't want to chase an rebase here.	06:17
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Revert "Enable foreign keys for unit test" https://review.openstack.org/609266	06:17
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert auth to flask native dispatching https://review.openstack.org/603461	06:24
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Auth flask conversion cleanup https://review.openstack.org/608756	06:24
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert /v3/users to flask native dispatching https://review.openstack.org/609071	06:24
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert projects API to Flask https://review.openstack.org/603451	06:24
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Remove skip for test_locked_out_user_sends_notification https://review.openstack.org/609159	06:24
*** shyam89 has joined #openstack-keystone		06:26
*** Dinesh_Bhor has joined #openstack-keystone		06:28
*** shyam89 has quit IRC		06:31
*** shyam89 has joined #openstack-keystone		06:31
*** aojea has quit IRC		06:41
*** Emine has joined #openstack-keystone		06:49
*** pcaruana has joined #openstack-keystone		06:50
*** rcernin has quit IRC		06:58
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated trust_flush https://review.openstack.org/609277	07:04
*** odyssey4me has quit IRC		07:07
*** odyssey4me has joined #openstack-keystone		07:08
*** mugsie has quit IRC		07:08
*** mgagne has quit IRC		07:09
*** mgagne has joined #openstack-keystone		07:10
*** jroll has quit IRC		07:10
*** aojea_ has joined #openstack-keystone		07:12
*** jroll has joined #openstack-keystone		07:12
*** aojea_ has quit IRC		07:16
*** shyam89 has quit IRC		07:17
*** shyam89 has joined #openstack-keystone		07:17
*** mgagne has quit IRC		07:34
*** shyam89 has quit IRC		07:36
*** mgagne has joined #openstack-keystone		07:36
*** hoonetorg has joined #openstack-keystone		07:42
*** shyam89 has joined #openstack-keystone		07:48
*** aojea_ has joined #openstack-keystone		07:51
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Adding 'date' for trust_flush https://review.openstack.org/607897	07:51
*** aojea_ has quit IRC		07:53
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Adding 'date' for trust_flush https://review.openstack.org/607897	07:53
*** aojea__ has joined #openstack-keystone		07:53
*** shyam89 has quit IRC		07:55
*** Dinesh_Bhor has quit IRC		08:01
*** felipemonteiro has quit IRC		08:11
*** aojea__ has quit IRC		08:23
*** shyam89 has joined #openstack-keystone		08:43
*** belmorei_ has joined #openstack-keystone		08:57
*** belmoreira has quit IRC		09:00
*** Dinesh_Bhor has joined #openstack-keystone		09:12
*** aojea_ has joined #openstack-keystone		09:17
*** aojea_ has quit IRC		09:50
*** imacdonn has quit IRC		09:52
*** imacdonn has joined #openstack-keystone		09:52
*** mvkr has quit IRC		10:01
*** shyam89 has quit IRC		10:11
*** shyam89 has joined #openstack-keystone		10:12
*** aojea_ has joined #openstack-keystone		10:24
*** Dinesh_Bhor has quit IRC		10:25
*** dave-mccowan has joined #openstack-keystone		10:32
*** shyam89 has quit IRC		10:34
*** mvkr has joined #openstack-keystone		10:38
*** Dinesh_Bhor has joined #openstack-keystone		10:42
*** belmorei_ has quit IRC		10:46
*** belmoreira has joined #openstack-keystone		10:47
*** aojea_ has quit IRC		10:56
*** Dinesh_Bhor has quit IRC		11:14
*** jrist has joined #openstack-keystone		11:14
*** aojea_ has joined #openstack-keystone		11:29
*** shyam89 has joined #openstack-keystone		11:32
*** raildo has joined #openstack-keystone		11:52
*** belmoreira has quit IRC		12:05
*** aojea_ has quit IRC		12:08
*** belmoreira has joined #openstack-keystone		12:08
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	12:09
*** aojea_ has joined #openstack-keystone		12:23
cmurphy	kmalloc: can you proof the second section in https://etherpad.openstack.org/p/keystone-outreachy-proposals for me (also the first if you're interested)	12:26
*** aojea_ has quit IRC		12:48
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	13:04
*** mvkr has quit IRC		13:05
*** shyam89 has quit IRC		13:08
*** shyam89 has joined #openstack-keystone		13:08
*** shyam89 has quit IRC		13:14
*** aojea_ has joined #openstack-keystone		13:23
*** mchlumsky has joined #openstack-keystone		13:34
*** lbragstad has joined #openstack-keystone		13:38
*** ChanServ sets mode: +o lbragstad		13:38
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	14:09
kmalloc	Yeah reading	14:30
*** aojea_ has quit IRC		14:34
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scaffolding for upgrade checks https://review.openstack.org/608785	14:34
*** aojea_ has joined #openstack-keystone		14:34
*** mvkr has joined #openstack-keystone		14:36
kmalloc	cmurphy: there is only one thing else, we already have a start of a test_client impl in keystone.tests.unit.core	14:37
kmalloc	cmurphy: looks good otherwise!	14:37
lbragstad	not sure what people want to do about testing upgrade checks until we have one to implement	14:39
lbragstad	left a note in ^ but that should be ready for review and consumption	14:39
cmurphy	kmalloc: edited	14:40
*** aojea_ has quit IRC		14:41
lbragstad	also - if anyone can think of an upgrade check we should perform i'll take a stab at implementing and testing it	14:42
cmurphy	lbragstad: i would start with anything in https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky	14:44
cmurphy	does this notice about the token_auth middleware apply still? https://docs.openstack.org/releasenotes/keystone/rocky.html#prelude	14:45
lbragstad	the auth_token middleware one is a good one...	14:47
lbragstad	but a deployment would already need to be running stein (and have removed that already) in order to run keystone-status upgrade check, right?	14:48
cmurphy	wait no the check would need to be run before the upgrade happens	14:49
cmurphy	if the check is to check if it's safe to upgrade to stein	14:49
lbragstad	oh - right?	14:50
cmurphy	and i guess removed-as-of-rocky wouldn't apply because we're already on rocky	14:50
lbragstad	if we were implementing this last release maybe?	14:50
lbragstad	also..	14:51
lbragstad	things like https://review.openstack.org/#/c/543060/ tread a fine line between being a doctor check and an upgrade check	14:51
cmurphy	why would it be a doctor check?	14:52
lbragstad	we have doctor checks that inspect config	14:52
cmurphy	i think it's an upgrade check because you need to check for driver=sql before you should be allowed to upgrade	14:53
cmurphy	maybe it's both	14:53
lbragstad	oh - yeah i suppose that's a case	14:53
lbragstad	i was thinking of things that would "prevent" keystone from starting and ignored configuration options don't really fall into that category	14:54
lbragstad	in the case where driver=sql, should we return a failure or a warning?	15:02
* lbragstad wonders if we should be asking mriedem these questions		15:03
cmurphy	if driver=sql in rocky and they try to upgrade to stein then keystone won't start	15:04
cmurphy	so i would think failure	15:04
lbragstad	hmm	15:06
lbragstad	i set keystone.conf [token] driver=sql and restarted keystone just fine?	15:07
lbragstad	i'm on master, btw	15:07
cmurphy	can you get a token?	15:07
lbragstad	yup	15:09
lbragstad	so - i think it's because we removed that option	15:10
cmurphy	oh	15:10
lbragstad	and if we have driver=sql set in configuration, keystone doesn't really care	15:10
lbragstad	but if you do something like provider=fern	15:10
lbragstad	keystone will fail	15:10
lbragstad	i suppose we could add checks for removed configuration options and say "hey, you have a deprecated option in your config that we're not using"	15:13
cmurphy	++	15:13
lbragstad	i guess we have three ways to do that	15:14
*** gyee has joined #openstack-keystone		15:14
lbragstad	as a doctor check, an upgrade check that results in a warning, or an upgrade check that results in a failure	15:14
*** aojea_ has joined #openstack-keystone		15:15
*** Emine has quit IRC		15:19
*** jrist has quit IRC		15:23
*** Emine has joined #openstack-keystone		15:25
*** munimeha1 has joined #openstack-keystone		15:39
*** mvkr has quit IRC		15:40
*** Guest10461 is now known as dims		15:44
*** aojea_ has quit IRC		15:48
openstackgerrit	Andreas Jaeger proposed openstack/keystone master: Replace openSUSE experimental check with newer version https://review.openstack.org/609465	15:58
*** mvkr has joined #openstack-keystone		16:02
kmalloc	o/	16:05
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	16:33
kmalloc	lbragstad, gagehugo_, ayoung, cmurphy: rebased the flask chain	16:38
lbragstad	sweet - i am going to get to that today	16:38
kmalloc	once the outstanding patches land, we're down to the last bits of flask (conversion) and all our APIs are flask.	16:38
cmurphy	ty kmalloc	16:38
kmalloc	today i should have the middleware converted, and then strip out all the old legacy code.	16:39
lbragstad	and then... we party	16:39
kmalloc	we're close.	16:39
kmalloc	so close.	16:39
lbragstad	sweet sweet victory	16:40
*** aojea_ has joined #openstack-keystone		16:40
* cmurphy preps the champagne		16:42
lbragstad	cmurphy did you happen to catch that conversation in dev?	16:49
cmurphy	yeah kinda	16:51
lbragstad	ok	16:51
cmurphy	so checks for usage of parameters that were removed and replaced by something else	16:51
cmurphy	would be good candidates	16:52
cmurphy	is the gist?	16:52
lbragstad	yeah - the FFU case makes that pretty clear	16:52
lbragstad	but if that is the case, i'm not sure maintaining a big list of removed things is useful if we already take care of that in release notes?	16:52
cmurphy	i don't think member_role_{id,name} was replaced, right? just dropped because v2	16:52
cmurphy	yeah probably not that useful	16:53
lbragstad	correct	16:53
lbragstad	i guess we don't have to merge the upgradecheck stuff immediately...	16:53
lbragstad	i was just hoping to have a better testing example than noops	16:54
kmalloc	hm	16:58
kmalloc	lbragstad, cmurphy: is it worth moving away from KSM in keystone and implementing all the logic in a flask-native way?	16:59
kmalloc	we put a lot of effort into making authcontextmiddleware KSM with some additional keystone-specific "get token" logic	16:59
cmurphy	kmalloc: that sounds like a giant pita	17:00
kmalloc	that said, if we keep AuthContext - we will forever maintain a dep on webob	17:00
kmalloc	since we subclass ksm	17:00
kmalloc	it's not "really" just KSM.	17:00
kmalloc	if it was, that would be one thing.	17:00
lbragstad	i think having KSM deployed with keystone makes keystone more like other services (and less of a snowflake)	17:01
kmalloc	except we aren't really using KSM.	17:01
kmalloc	we have reimplemented almost all of KSM (except header processing) since tokens aren't retrieved via REST	17:02
kmalloc	otherwise you have the issue of "X-Auth-Token" need X-Auth-Token to be processed to validate X-Auth-Token	17:02
kmalloc	:P	17:02
kmalloc	it might be worth seeing if we can narrow down to where we use KSM and have a mechanism to plug in a "get token" function	17:03
kmalloc	instead of needing to re-implement process_requst, fetch_token, and all the extra bits.	17:04
kmalloc	for now i'll move json body and the other middlewares and leave ACM as is... but i really dislike how much we're re-implementing	17:04
gyee	kmalloc, lbragstad, we ran into a strange problem with keystone in rocky. Looks like the LBCHK method no longer supported. Do you guy recall getting rid of that one?	17:04
kmalloc	LBCHK?	17:05
gyee	we use LBCHK for HA configuration	17:05
kmalloc	what is LBCHK	17:05
gyee	load balancing check	17:05
kmalloc	ok, let me rephrase. where does it come from?	17:05
kmalloc	is this the /healthcheck app?	17:05
lbragstad	we supported that natively in keystone?	17:05
gyee	yes	17:05
kmalloc	it's located at /healthcheck	17:06
kmalloc	baked into keystone's app loading	17:06
gyee	so curl -X LBCHK http://<keystone>:5000 used to work fine	17:06
gyee	now its returning 405	17:06
kmalloc	https://github.com/openstack/keystone/blob/86cc778774bc6a561911be05075b4e3cdf6ef2b0/keystone/server/flask/application.py#L195-L198	17:07
gyee	we are running rocky right now	17:07
kmalloc	uhm	17:07
lbragstad	apparenly this wasn't tested?	17:07
gyee	do we ever test HA?	17:07
kmalloc	uhm	17:07
kmalloc	LBCHK is not standard http	17:08
kmalloc	that isn't a method	17:08
lbragstad	i've never seen LBCHK before actually	17:08
kmalloc	we do not support methods outside of RFC	17:08
kmalloc	#1	17:08
kmalloc	#2, who thought that was a good idea?	17:08
kmalloc	#3, you can curl /healthcheck	17:08
kmalloc	and get the data	17:09
kmalloc	(standard GET)	17:09
kmalloc	and see the old adage: If it isn't tested, it is broken	17:09
gyee	k, let me change it to /healthcheck instead	17:10
kmalloc	yeah that should work.	17:10
gyee	unfortunately I can't seem to dig up any history on that one	17:10
gyee	thanks guys!	17:10
lbragstad	if you find that history - please share it :)	17:10
kmalloc	it's an old hack from the healthcheck middleware (nee app)	17:10
kmalloc	basically if you use PASTE healthcheck middleware gets the request early	17:10
kmalloc	and can support custom HTTP methods.	17:11
lbragstad	mmm	17:11
kmalloc	flask, we implement none of those.	17:11
kmalloc	i could implement it but... ugh	17:11
kmalloc	i didn't even realize someone used a custom HTTP method	17:11
kmalloc	that sounds like such a terrible idea.	17:11
lbragstad	yeah - me either	17:11
* lbragstad finds calories		17:11
kmalloc	cmurphy: ok, so i'll do non-AuthContext middlewares and see if i can isolate the ACM overrides to be less "we need to implement all of KSM" and split apart the other bits to be more flask-native.	17:12
gyee	hey man, I inherited that shit :-)	17:12
kmalloc	cmurphy: if i can do that, i'll implement a "get_token_func" argument for ksm and we can remove a lot of the extra cruft.	17:13
kmalloc	gyee: heh	17:13
cmurphy	kmalloc: ok	17:13
kmalloc	gyee: can you implement a test for us (upstream): check that /healthcheck is working as expected?	17:13
kmalloc	gyee: so we don't accidently regress on that.	17:14
*** aojea_ has quit IRC		17:14
kmalloc	gyee: should be a simple restful testcase.	17:14
gyee	kmalloc, in devstack?	17:15
gyee	or just a simple functional test?	17:16
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert S3 and EC2 auth to flask native dispatching https://review.openstack.org/609500	17:16
kmalloc	gyee: in unit testds	17:16
kmalloc	keystone's*	17:16
gyee	kmalloc, k, let me work on it	17:17
kmalloc	lbragstad, cmurphy: ^ converting EC2 and S3 to Flask = no more contrib directory :)	17:17
gyee	meanwhile, let me update haproxy config to use healthcheck instead	17:17
cmurphy	kmalloc: ooh	17:17
kmalloc	cmurphy: fixing a minor issue wiuth that patch now.	17:20
kmalloc	but it's almost ready too.	17:20
kmalloc	(running unit tests locally)	17:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert S3 and EC2 auth to flask native dispatching https://review.openstack.org/609500	17:23
kmalloc	cmurphy: ^ there we go.	17:23
* cmurphy considers making coffee before reviewing flask patches		17:23
kmalloc	cmurphy: also note, the skipped notification test is unskipped here: https://review.openstack.org/#/c/609159/2	17:24
kmalloc	cmurphy: yes. I support coffee for those patches.	17:24
kmalloc	cmurphy: but just think, we are ... well super close to being done with the refactor of doom.	17:25
kmalloc	DOOM I SAY, DOOM.	17:25
cmurphy	https://youtu.be/s2jvANh2aEc?t=3	17:26
*** Emine has quit IRC		17:29
kmalloc	cmurphy: YES	17:30
kmalloc	cmurphy: https://www.youtube.com/watch?v=DMSHvgaUWc8	17:31
cmurphy	:)	17:31
*** aojea has joined #openstack-keystone		17:32
*** mvkr has quit IRC		17:33
*** pcaruana has quit IRC		17:55
kmalloc	LOL our json body middleware is doing a lot of extra work it shouldn't be doing :P	17:55
kmalloc	eyeroll	17:56
kmalloc	or well, long since useless/unused work	17:56
gyee	kmalloc, lbragstad, finally dig up the history on LBCHK. To make a long story short, a custom method was used at the time because the health check logs flooded keystone.log, making it unusable.	18:07
gyee	since now we have GET /healthcheck as opposed to GET /, we can now easily create a filter to filter out those from keystone logs	18:09
kmalloc	++	18:11
kmalloc	:)	18:11
*** pcaruana has joined #openstack-keystone		18:12
*** itlinux has quit IRC		18:13
*** raildo has quit IRC		18:17
kmalloc	cmurphy, lbragstad: can you find if we use "openstack.params" ENV anywhere except as a bit of throwaway logic in keystone's JSON Body middleware...	18:19
kmalloc	i think... we don't use it anywhere	18:20
cmurphy	kmalloc: idk what that is	18:20
lbragstad	was it a request env thing?	18:20
kmalloc	lbragstad: yeah.	18:20
kmalloc	lbragstad: as far as i can tell, we set values in it... and drop it on the floor	18:21
lbragstad	http://paste.openstack.org/show/731861/	18:21
kmalloc	never to be referenced again	18:21
cmurphy	http://codesearch.openstack.org/?q=openstack%5C.params&i=nope&files=&repos=	18:21
kmalloc	yeah	18:21
kmalloc	ok	18:21
kmalloc	i'm dropping that code on the floor	18:21
kmalloc	it is beyond useless	18:21
kmalloc	:P	18:21
kmalloc	eyeroll	18:21
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py#n73	18:22
kmalloc	yep	18:22
kmalloc	and we don't reference it after that	18:22
kmalloc	basically we're filtering things out and storing the data again in environ['openstack.params']	18:22
cmurphy	maybe it's not strictly useful to us but useful to someone debugging request headers?	18:22
kmalloc	for funzies	18:22
kmalloc	cmurphy: we filter "context" "self" and "_" stuff out, but nothing anywhere references it	18:23
lbragstad	https://review.openstack.org/#/c/508410/	18:23
cmurphy	or maybe one of the monitoring projects used to use it	18:23
kmalloc	lbragstad: ++	18:23
cmurphy	lol	18:23
kmalloc	hehe	18:23
lbragstad	actually - that's just removing duplication	18:24
cmurphy	oh	18:24
lbragstad	and putting the definition of openstack.params in a single place	18:24
lbragstad	which is wsgi	18:24
kmalloc	and like i said, we filter it and just leave it on the floor in memory forever	18:24
kmalloc	shrug	18:24
cmurphy	maybe jamielennox knows what it is then	18:24
hrybacki	lbragstad: we found a weird bug is Pike/Queens (not appearing in rocky) that look related to https://bugs.launchpad.net/keystone/+bug/1791111	18:25
openstack	Launchpad bug 1791111 in OpenStack Identity (keystone) "allow change password upon first use as user" [Undecided,New]	18:25
* lbragstad is pretty sure jamielennox knows the answers to everything		18:25
cmurphy	lbragstad: fact	18:25
lbragstad	hrybacki related to the original bug or related to the fix?	18:25
kmalloc	hrybacki: yeah we fixed that at some point	18:25
hrybacki	tl;dr, if `change_password_upon_first_use` is true, users cant even login (cli/horizon)	18:25
kmalloc	hrybacki: there was some ick around it.	18:25
hrybacki	hmm	18:26
kmalloc	hrybacki: it had to do with enforcement on the APIs	18:26
lbragstad	well - we used to have a policy for it	18:26
kmalloc	you needed to login to change a password (iirc)	18:26
lbragstad	for v2.0	18:26
kmalloc	and in rocky we fixed some of it	18:26
*** raildo has joined #openstack-keystone		18:26
kmalloc	you cant login to keystone if you need to change you password	18:26
lbragstad	well - we removed it so that we could do the policy validation based on password logic	18:27
kmalloc	but horizon now, i think has a "change password" that doesn't require login	18:27
kmalloc	change password is explicitly non-enforced API	18:27
kmalloc	for that reason	18:27
hrybacki	kmalloc: hmm	18:27
cmurphy	i don't think you can change your password without logging into horizon	18:27
hrybacki	lemme look for that	18:27
hrybacki	fix	18:27
*** mvkr has joined #openstack-keystone		18:28
lbragstad	we've had a lot of questions/bugs around this specific area for a while	18:32
lbragstad	i know it was brought up a few times in denver	18:32
hrybacki	yeah, we have Cu. asking for (the fix) in queens	18:33
hrybacki	that fix landed in Rocky?	18:34
lbragstad	which fix?	18:36
lbragstad	https://bugs.launchpad.net/keystone/+bug/1791111 still needs to be verified	18:36
openstack	Launchpad bug 1791111 in OpenStack Identity (keystone) "allow change password upon first use as user" [Undecided,New]	18:36
hrybacki	lbragstad: maybe i misread kmalloc comment above. Our bug (https://bugzilla.redhat.com/show_bug.cgi?id=1628541) found that we were unable to reset the pass even through horizon	18:42
openstack	bugzilla.redhat.com bug 1628541 in openstack-keystone "change_password_upon_first_use=true should allow a user to change his password upon first use" [High,New] - Assigned to hrybacki	18:42
hrybacki	Trying to find a delta between Queens and Rocky	18:43
kmalloc	you can NEVER login to keystone wiht a locked (change password on first use) password	18:44
kmalloc	horizon would need to handle that case with an explicit "change password form" that doesn't require login	18:44
kmalloc	which may/may not be implemented	18:45
kmalloc	keystone wont allow a login (as it shouldn't)	18:45
cmurphy	horizon doesn't have that	18:45
kmalloc	this is why the change_password API is unprotected (you must have the original password to change password)	18:45
kmalloc	hrybacki: ^ then the behavior is expected, no login with first password change required.	18:45
cmurphy	we should have told the horizon team that when we implemented it...	18:46
hrybacki	ahh	18:46
kmalloc	hrybacki: marked the bug as invalid, commented on it	18:49
kmalloc	and added horizon to the bug	18:49
hrybacki	thanks kmalloc. fk i type slow w/ one hand	18:49
hrybacki	I'll rope in internal horizon team to raise vis	18:50
lbragstad	recreating that locally	18:50
lbragstad	and using osc is going to fail, too	18:50
lbragstad	for the same reason	18:50
lbragstad	since osc is going to ask keystone for a token (possibly for discovery stuff) and that is going to fail with a 401	18:51
* hrybacki nods		18:51
lbragstad	so... does this mean we really only support change password at first use when using the rest API directly?	18:51
hrybacki	it would seem so	18:51
hrybacki	PCIDSS compliance issue	18:52
kmalloc	it would be a gap in horizon's support in this case.	18:54
kmalloc	lbragstad: we can't ever allow someone to login with a real token issued (it conveys "authN" and may be used if something allows keystone tokens) if the password/user is locked	18:55
lbragstad	yeah... it just goes against how all the other token/discovery stuff works	18:58
lbragstad	in those cases the clients would need to know to skip getting a token and just build the request from scratch and put that on the wite	18:59
lbragstad	wire*	18:59
*** pcaruana has quit IRC		19:03
kmalloc	well then...	19:31
kmalloc	oslo_serialization is just too damn clever	19:31
kmalloc	was trying to figure out why a test suddenly started failing...	19:31
kmalloc	because jsonutils.loads(b'"test"') works	19:32
kmalloc	where json.loads() raises the expected error	19:32
kmalloc	eyeroll	19:32
*** dave-mccowan has quit IRC		19:34
gagehugo_	reading scrollback	19:40
*** dave-mccowan has joined #openstack-keystone		19:45
openstackgerrit	Harry Rybacki proposed openstack/keystone master: Convert projects API to Flask https://review.openstack.org/603451	19:50
*** blake has joined #openstack-keystone		19:50
lbragstad	kmalloc did you want to revert https://review.openstack.org/#/c/558193/ ?	19:54
lbragstad	i see your revert was abandon?	19:55
*** pcaruana has joined #openstack-keystone		19:55
cmurphy	he was grumpy about having to rebase	19:55
gagehugo_	hrybacki: that projects flask change is perfectly balanced	19:56
lbragstad	lol	19:57
lbragstad	wxy-xiyuan just catching up on the oslo.limit patches, let me know whenever you get a follow up to https://review.openstack.org/#/c/596520/ and i'll promptly review	19:58
kmalloc	lbragstad: abandoned.	20:02
kmalloc	not needed	20:02
lbragstad	ack - thanks	20:02
*** pcaruana has quit IRC		20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Replace JSON Body middleware with flask-native func https://review.openstack.org/609535	20:14
kmalloc	cmurphy: ++ yes, i was worried it was going to be a huge rebase	20:15
kmalloc	it was 3 lines.	20:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Remove skip for test_locked_out_user_sends_notification https://review.openstack.org/609159	20:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert S3 and EC2 auth to flask native dispatching https://review.openstack.org/609500	20:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Replace JSON Body middleware with flask-native func https://review.openstack.org/609535	20:15
*** itlinux has joined #openstack-keystone		20:46
*** Emine has joined #openstack-keystone		21:00
*** Emine has quit IRC		21:08
*** raildo has quit IRC		21:14
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Cleanup keystone.server.flask.application https://review.openstack.org/609548	21:34
openstackgerrit	guang-yee proposed openstack/keystone master: add unit tests for healthcheck https://review.openstack.org/609549	21:34
*** jdennis has quit IRC		21:36
*** blake has quit IRC		21:37
*** jdennis has joined #openstack-keystone		21:42
*** munimeha1 has quit IRC		21:44
*** raildo has joined #openstack-keystone		21:53
*** raildo has quit IRC		21:54
openstackgerrit	guang-yee proposed openstack/keystone master: add unit tests for healthcheck https://review.openstack.org/609549	22:00
*** aojea has quit IRC		22:08
*** rcernin has joined #openstack-keystone		22:41
kmalloc	gyee: hehe, sorry one more -1	22:41
kmalloc	gyee: but... as you can see the new flask stuff makes things a lot easier ;)	22:41
kmalloc	lbragstad: ok ok... i am having a weird issue	22:42
kmalloc	lbragstad: i can't seem to make keystone work without the normalizing middleware.	22:42
kmalloc	and it isn't because our URLs are weird.	22:42
kmalloc	it... some side effect is happening when we do the webob specific mechanism for changing request.environ['PATH_INFO'] that doesn't work any other way.	22:43
kmalloc	... i'm baffled.	22:43
kmalloc	replicating the exact logic in a different manner doesn't seem to work, i get errors like "cannot find resource XXXX" where the only difference in the code base is the old middleware vs new way of doing the same exact thing	22:43
gyee	kmalloc, at this rate, there ain't any code left to write! :-D	22:51
kmalloc	gyee thats the point!	22:51
kmalloc	:)	22:51
gyee	seriously, I love the new paradigm. Very cool stuff.	22:51
kmalloc	write only the "does this respond how i expect it to" code not all the other cruft	22:51
gyee	all meat, no fat	22:51
kmalloc	gyee: it's been ~10000 lines of code in the last few months to get here	22:51
kmalloc	and i know way way way way way more about how all the crufty internals of keystone work now.	22:52
gyee	wow, good work	22:52
kmalloc	gyee: https://review.openstack.org/#/q/topic:bug/1776504+(status:open+OR+status:merged)	22:52
kmalloc	gyee: and https://review.openstack.org/#/q/topic:flaskification+(status:open+OR+status:merged)	22:52
kmalloc	officially had the first patch merge on 06/04	22:53
kmalloc	and today is 10/10.	22:53
gyee	code machine	22:53
kmalloc	the last of the outstanding patches posted convert the last of the major code in keystone to flask.	22:53
kmalloc	i'm now fighting with something weird in the webob middleware(s)... that doesn't make sense.	22:54
kmalloc	gyee: and we initially thought this project would be something an intern could do :P	22:55
gyee	you not kidding	22:58
openstackgerrit	guang-yee proposed openstack/keystone master: add unit tests for healthcheck https://review.openstack.org/609549	23:02
*** aloga has quit IRC		23:15
kmalloc	ahahah amazing what you find when you remove all the application/webob processing :P	23:22
kmalloc	things like "render exception" cruft.	23:22
*** aloga has joined #openstack-keystone		23:27
kmalloc	webob is all like https://www.youtube.com/watch?v=Sh8mNjeuyV4	23:29
*** mchlumsky has quit IRC		23:46

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!